[Metricbeat] Add support for IAM Roles for Service Accounts (EKS)

[Dudssource]

Describe the enhancement:

It would be really nice to be able to use this additional authentication mechanism when running metricbeat inside Elastic Kubernetes Service (specially when using the AWS Module).

Describe a specific use case for the enhancement or feature:

I tried to configure metricbeat following the AWS official documentation Specifying an IAM role for your service account (we use this approach successfully with other components like ALB Ingress Controller, External DNS, Fluxcd and so on) and even if I change the container permissions to be able to read the token file (fsGroup: 472) metricbeat insists to use the worker node role (which is not what we want).

We are using metricbeat version 7.8.0.

This feature would enable more flexibility and security since metricbeat requires some additional permissions that may not be desirable to share with all pods running on the same cluster.

Follow the configuration we tried to use on metricbeat deployment (setting fsGroup to 472 works for other deployments):

securityContext:
  fsGroup: 472
  runAsGroup: 472
  runAsUser: 0

We don't manually specify any AWS auth related env because AWS does that for us (when using IRSA) and with that the AWS SDK should detect the injected environments (AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE).

Thanks.

[kaiyan-sheng]

Hi! Thanks for opening this issue. Have you tried using role_arn config in aws module? If so, what's the error you see in the log file? Thanks!

[Dudssource]

Hi @kaiyan-sheng
Thank you for quick reply!

Sure, when I tried to directly configure the role_arn attribute I get an error about the worker node not being able to assume the informed role.

My module configuration:

aws.yml: |-
  - module: aws
    period: 86400s
    metricsets:
      - s3_request
      - s3_daily_storage
    role_arn: arn:aws:iam::REDACTED:role/metricbeat-2dcb05e3ec36c34e
  - module: aws
    period: 300s
    metricsets:
      - cloudwatch
    metrics:
      - namespace: AWS/EBS
      - namespace: AWS/ELB
      - namespace: AWS/EC2
    role_arn: arn:aws:iam::REDACTED:role/metricbeat-2dcb05e3ec36c34e
  - module: aws
    period: 12h
    metricsets:
      - billing
  - module: aws
    period: 300s
    metricsets:
      - ec2
      - ebs
      - elb
      - rds
      - sqs
      - lambda
      - natgateway
      - usage
      - transitgateway
      - vpn
    role_arn: arn:aws:iam::REDACTED:role/metricbeat-2dcb05e3ec36c34e

The error:

2020-06-25T15:16:56.653Z	ERROR	instance/beat.go:958	Exiting: 2 errors: error creating aws metricset: failed to retrieve aws credentials, please check AWS credential in config: AccessDenied: User: arn:aws:sts::REDACTED:assumed-role/eksworker-REDACTED/i-02b67703d5184bafd is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::REDACTED:role/metricbeat-2dcb05e3ec36c34e
	status code: 403, request id: 4acd0566-31b2-4043-a6b1-99d5b19aa60d; error creating aws metricset: failed to retrieve aws credentials, please check AWS credential in config: AccessDenied: User: arn:aws:sts::REDACTED:assumed-role/eksworker-REDACTED/i-02b67703d5184bafd is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::REDACTED:role/metricbeat-2dcb05e3ec36c34e
	status code: 403, request id: 7c662cbb-4fbd-4b41-930d-8da3e64797ad
Exiting: 2 errors: error creating aws metricset: failed to retrieve aws credentials, please check AWS credential in config: AccessDenied: User: arn:aws:sts::REDACTED:assumed-role/eksworker-REDACTED/i-02b67703d5184bafd is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::REDACTED:role/metricbeat-2dcb05e3ec36c34e
	status code: 403, request id: 4acd0566-31b2-4043-a6b1-99d5b19aa60d; error creating aws metricset: failed to retrieve aws credentials, please check AWS credential in config: AccessDenied: User: arn:aws:sts::REDACTED:assumed-role/eksworker-REDACTED/i-02b67703d5184bafd is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::REDACTED:role/metricbeat-2dcb05e3ec36c34e

It seems that in order to be able to use the IRSA feature, another kind of credential provider need to be used (for go aws-sdk I believe that the right one is NewWebIdentityRoleProvider)

[elasticmachine]

Pinging @elastic/integrations-platforms (Team:Platforms)

[kaiyan-sheng]

Thank you for the information! Did you try adding sts:AssumeRole permission into your IAM role by any chance? I will also look into IRSA later. Thanks!

[Dudssource]

Sure!
In my understanding if I somehow attach the sts:AssumeRole permission to the arn:aws:iam::REDACTED:role/eksworker-REDACTED role, that will consequently associate the metricbeat role to all my running pods (since by default every kubernetes pod running on EKS 'inherit' the underlying worker node role and then an application will be able to assume the arn:aws:iam::REDACTED:role/metricbeat-2dcb05e3ec36c34e role).

The workaround was to attach the metricbeat related policy to the EKS worker node role, but unfortunately this also gives the the inconvenient permission to the whole cluster = /

Is there anything I can do to help on this issue?

Thanks!

[jpenniman]

This is a major security issue and against AWS best practice. Pods should not be assuming the node role. That's why Amazon allows us to map K8s service roles to IAM roles: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html

The vulnerability comes from the possibility of rogue code or infected pod taking control. I'm happy to dig up the exact vulnerability(ies) if needed.

What is the status of this? Can we expect an updated set of beats soon? This gap will likely cause us to fail our security audits and/or well architected review.

[kaiyan-sheng]

@jpenniman @Dudssource I just started a draft PR for adding support for IRSA for EKS. I don't know what's the timeline on this yet but please feel free to review the PR once it's not in draft state.